This document discusses securing Microsoft technologies for HITECH compliance. It covers introducing Microsoft technologies that can help secure protected health information as required by HITECH, including SharePoint, Active Directory, and encryption. It also summarizes challenges around managing risk and complexity when connecting systems and collaborating while maintaining security. Best practices are provided around areas like governance, access controls, and an enterprise security model.
10. Enterprise Security Model
𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
11. 2012: From HIPAA to HITECH and “Meaningful Use”
11 | SharePoint Saturday New York City 2011
12. Complexity: RM, ECM and eDiscovery
𝑺 = (𝑷 ∗ 𝑨 ) do the HITECH math…
𝒙 𝒚
Application of HIPAA Security
Standards to Business Associates
“Business Associates”: 42 USC §17931
• Legal
• Accounting New Security Breach Requirements
• Administrative 42 USC §17932(j)
• Claims Processing
• Data Analysis Electronic Access Mandatory for
• QA Patients 42 USC 17935(e)
• Billing
45 CFR §160.103 Prohibited Sale of PHI without Patient
Authorization 42 USC §17935(d)
Consumer Engagement
13. Cryptzone Survey
Gothenburg, 19 January 2012
Survey finds almost half of SharePoint users
disregard the security within SharePoint, and
copy sensitive or confidential documents to
insecure hard drives, USB keys or even email
it to a third party.
Read more: SharePoint Users Develop
Insecure Habits - FierceContentManagement
17. Challenge: connect, collaborate and compartmentalize
Microsoft Connected Health Framework Business
and Technical Framework (Joint Architecture)
http://hce.codeplex.com/
18. Enterprise Security Planning
PRIVACY IMPACT ASSESSMENT
18 direct identifiers (HIPAA)
“content shielding”
data architecture
Mobile Device Management/BYOD World
18 | SharePoint Saturday New York City 2011
19. What usually happens…
User • Active Directory
Device
Browser • HTTPS
SharePoint • Permissions
Database
Storage
19 | SharePoint Saturday New York City 2011
20. Security Reference Architecture
User
• Strong authentication
Device
• Whole disk encryption
Browser
• HTTPS
SharePoint
• Permissions
Database
• Auditing & alerting
Storage • Document & List encryption
• Mandatory access controls
20 | SharePoint Saturday New York City 2011
21. Security Architecture – SPS2010
Authentication Permissions Data Level Endpoint
Services
Authorization
UPM
Hardware
Business Connectivity
Federated ID Security Security Security
Classic/Claims Groups LOB Mobile
Integration Remote
IIS/STS
𝑺 = (𝑷 ∗ 𝑨 ) 𝒙 𝒚
22. Best Practices: privacy and security in
Microsoft SharePoint Server 2010,
Azure and Office365
23. “Can’t Do it Alone:” On Premise Security Ecosystem
• Native
ISV • Network
• 20% • Governance • Data at Rest
• UPM/IAM • 100%
• 60%
SP2010 ISV
23 | SharePoint Saturday New York City 2011
24.
25. Sample: Security Planning Checklist
Content types (PHI/PII)
ECM/OCR
Digital Rights Management (DRM)
Business Connectivity Services and Visio Services (external data sources)
Excel, lists, SQL, custom data providers
Integrated Windows with constrained Kerberos
Metadata and tagging (PHI/PII)
Blogs and wikis (PHI)
Plan permission levels and groups (least privileges) – providers and business
associates
Plan site permissions
Fine-grained permissions (item-level)
Security groups (custom)
Contribute permissions
25 | SharePoint Saturday New York City 2011
26. Best Practices: Preventative Model
NIST Guidelines:
2 Factor Authentication
Encryption of Data at Rest
Trust, but verify… Encryption of Data in Motion
It’s all about the data…
18 HIPAA Direct Identifiers Clinical Expertise
27. Governance: Adapting the Joint Commission Continuous
Process Improvement Model
Plan
• Technical, Physical, Administrative Safeguards
Document
• Joint Commission, Policies, Procedures, IT Governance
Train
• Clinical, Administrative and Business Associates
Track
• Training, Compliance, Incidents, Access…. everything
Review
• Flexibility, Agility, Architect for Change
28.
29.
29 | SharePoint Saturday New York City 2011
30.
30 | SharePoint Saturday New York City 2011